A new bill making its way through the Senate would allow the federal government to collect user information from companies like Google and Facebook… without a warrant. The bill, called the Cyber Information Sharing Act (CISA) of 2015, “encourages” private companies to share user information with the federal government with minimal oversight. In a closed-door meeting on Thursday, March 12, the Senate Intelligence Committee approved the bill and is now sending it on for a vote.
Reading through the latest publicly available draft of the bill, CISA’s provisions seem unusually broad and designed to allow future invasions of privacy. Although the bill says its purpose is to prevent hacker attacks, it encourages the sharing of all sorts of user information with wide swaths of the federal government. The bill’s language is extremely vague, and could include everything from user account information to IP address login history to geolocation and even what type of phone a customer uses.
As written, the government also has a very ambiguous definition of what type of “cyber attack” could compel a private company to send information on to entities like the Pentagon and the Attorney General’s office.
In the closed hearing, the draft version of the bill passed 14-1. Oregon senator Ron Wyden (D), who has been one of Congress’s main privacy advocates, was the lone holdout. Wyden said in a statement, “It makes sense to encourage private firms to share information about cybersecurity threats. But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens. If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill–-it’s a surveillance bill by another name.”
“The most effective way to protect cybersecurity is by ensuring network owners take responsibility for security,” Wyden added, in a veiled challenge aimed at phone carriers and Internet service providers to step up and do more to protect customer privacy.
By approving the bill, the Senate Intelligence Committee is adding fuel to an upcoming confrontation–which was partially on display at this year’s SXSW during Edward Snowden’s surprise presentation)–between intelligence agencies and law enforcement, tech companies, and privacy activists. Privacy activists tend to take a maximalist approach toward protection of user information, while tech companies are torn between a need to protect user information, a fear of losing overseas sales to clients afraid of American government surveillance, and a desire to retain enough good faith with the federal government to retain some extremely lucrative long-term contracts. Meanwhile, U.S. intelligence agencies and law enforcement tend to support a “dragnet” approach to cybersecurity that vacuums up as much information as possible for later use.